Various NERC Topics and Why Should You Care?

by Technology 27 October 2021

NERC Topics

The NERC CIP standards are mandatory security guidelines for companies that manage or control facilities that comprise the U.S. and Canadian electric power grid.

They were first accepted through the Federal Energy Regulatory Commission (FERC) in the year 2008. Their broad-based requirements have prompted substantial amounts of investment for the regulated utilities.

They have created the foundation for cybersecurity awareness in the electric utilities within North America. However, it is their basis as the model for a future list of Operating Technology cyber security compliance program management across the globe that will make the regulations mandatory for all industrial managers worldwide.

Which Topics Do NERC CIP Standards Cover?

Which Topics Do NERC CIP Standards Cover?

Subject Standard
Retired Sabotage Reporting CIP-001
Facility Categorization

Inventory Validation

Asset Classification & Identification

Asset Recognization

Plan Maintenance & Creation – Low-Priority Components

Senior Accountable Executive Designation

Plan Maintenance & Creation

Governance & Policy

Access Checks

Background Validations

Training Access Management

Staff & Training Security Awareness

Setting Up Electronic Security Measures or Equivalents

Security of Network

Protected Interactive Virtual Access Management

Physical Security Policies

Monitoring & Creation of Physical Security Measures

Physical Protection of Cyber Components

Control of System Security

Credential and Password Management

Management of Patch

Shared Accounts Management

Services & Ports Management

Logging of Security Event

Prevention of Malware

Incident Response for Cyber Security CIP-008
Recovery Strategies

Operations Continuity

Restoration and Backup

Transient Cyber Assets Management

Change Monitoring and Management

Vulnerability and Change Management

Management of Vulnerability

Configuration Management and Capture

BES Cyber System Records Protection

Classification and Protection of Records

Media Disposal

Communications of Control Center CIP-012
Security of Supply Chain CIP-013
Key Substations Physical Security CIP-014

The NERC standards typically cover the same broad topics as other cybersecurity frameworks like NIST CSF or CIS Top 20 Controls.

However, the NERC standards are much more explicit than these frameworks. They can be enforced on organizations that are subject to them, which includes imposing possibly large fines in the event of non-compliance.

Although these guidelines are crucial and could lead to fines if they’re not adhered to, some need more detail and explanation.

Why are NERC CIP Standards Important?

Why are NERC CIP Standards Important?

If you’re a North American electric utility, you must be aware that the NERC CIP standards demand substantial investment and the risk of penalties. Although most fines are in the lower five figures, more than one million dollars have been handed out due to a series of systemic violations.

The real impact of a flawed audit report is greater than the sum of the fine. Falsely reported violations or negative audit findings can cause management issues with shareholders, boards regulators, board members, and other stakeholders.

Outside of the energy utilities, which are the main subject on the agenda of NERC CIP, however, industries throughout North America and the world must begin to understand these standards and be prepared for similar requirements in their respective industries.

So, What’s The Takeaway?

The future of cybersecurity regulation is obvious – more prescriptive requirements and more auditing by regulators. This will need a significant shift in thinking, investment, and initiatives among industries across the globe.

Since the risk is more significant, we’d expect these new standards to be implemented more quickly as NERC CIP did. This will also imply lesser planning & development time, however, the scope will be as important as scoping NERC CIP.

Cyber security is frequently called “defense in depth”. It is not clear if that is an appropriate description of current threats. The truth is, a company can’t just leap into maturity “5”.

The earlier it starts to map its course – by using NERC CIP and various frameworks as its guides, the more achievable getting future compliance with the law can be.

Read Also:

Ariana Smith is a blogger who loves to write about anything that is related to business and marketing, She also has interest in entrepreneurship & Digital marketing world including social media & advertising.

View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *